# CSRF vulnerability allows attacker to change user's information. In this script we have anti-csrf which we can't change user's information without token. So we use 'hashtag' parameter to set our encoded payload and bypass csrf protection : chat/hashtag?hashtag=[We have Reflected XSS here]